How to lock down enterprise web browsers

Your organization's web browser is essentially your operating system for the cloud. Secure it appropriately.

Browsers. You can’t use the Internet without them, but they introduce insecurity and instability to the computing environment. Browsers are the operating system of cloud computing and protecting them will become more and more important.

Just last week, Google came out with patches to fix zero-day vulnerabilities with Chrome. As Kaspersky noted in its blog, “The attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which in turn loads a profiling script from a remote site.” The attack determined what browser version and operating system the victim is running. Like many attacks, the goal was to gain persistence on the computer. In this case the malware installs tasks in Windows Task Scheduler.

Both the new Microsoft browser, based on Edge, and the existing Chrome browser will suffer from increasing targeted attacks and zero-day vulnerabilities. You need to look at your user base and determine if their roles and actions put them at increased risks. For highly sensitive machines, you might want to take drastic actions and lock down the browser.

Actions to take include disabling JavaScript in a browser or considering plug-ins and browser scanning tools to help you keep your user base safe.

How to disable JavaScript in a browser

To disable JavaScript in Chrome, select Menu (the three vertical dots on the far upper right of the browser) -> Settings -> Advanced -> Privacy and Security -> Site Settings. Under “Permissions” look for “JavaScript”. Toggle the setting to “Blocked”.

So many websites use JavaScript that you might find this option too extreme. A wiser approach in a risky environment is to identify those sites for which you must have JavaScript and then only allow JavaScript to run on those websites. You can add those sites in the exception section by clicking on “Add” in the “Allowed” section. Add the URL of the website in the field. Then set the behavior to “Block” or “Allow”. You can even block partial sections of websites.

Susan Bradley

Add JavaScript exceptions

You can also add the Smart Screen technology via a browser extension from Microsoft to Chrome to prescan sites for JavaScript.

Susan Bradley

Add the Smart Screen technology to Chrome

The extension allows users to report suspicious sites.

Susan Bradley

The extension allows users to report suspicous websites

Keep browsers patched and up to date

Since recent versions of Chrome now support site isolation, it’s imperative that you keep any and all browsers installed on any device (desktops, phones, tablets) up to date and patched not only to ensure you have all security fixes, but that you receive new protection technologies. Even Microsoft is jumping on the Chrome bandwagon and basing its new Edge browser on the Chrome engine. Microsoft just made announcements at its Ignite conference regarding new logos and new plans as it attempts to reboot it’s beleaguered browser known as Edge.

Microsoft is announcing that Edge is ready for business evaluation and is urging administrators to download and test it. The new browser has Group Policy templates that are separate and distinct from the older Edge Group Policy settings. They allow you to control various settings such as:

Cast

Content settings

Default search provider

Extensions

HTTP authentication

Native Messaging

Password manager and protection

Printing

Proxy server

SmartScreen settings

For updating purposes, you will be able to control applications and preferences, and you will be able to set a proxy server with Group Policy settings. Edge will be able to update independently from the operating system, thus giving administrators more flexibility.

Bottom line if your firm still relies on Internet Explorer enterprise mode to handle internal corporate websites, it’s time to test Edge based on Chrome. Consider browsers as a platform that you need to protect and defend as much as the operating system itself.